Employees of a vendor paid to conduct COVID-19 contact tracing in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and their sexual orientation, the state Health Department said Thursday.
Agency spokesman Barry Ciccocioppo said in an email it recently learned workers at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state's secure data system.
“We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals,” Ciccocioppo said. He said state computer systems, including Pennsylvania's contact tracing app, were not implicated.
Ciccocioppo said some of the records in question associated names with phone numbers, emails, genders, ages, sexual orientations and COVID-19 diagnoses and exposure status. They did not include financial account information, addresses or Social Security numbers, he said.
The company has been directed to secure the records and has hired third-party specialists to conduct a forensic examination.
The data breach was first reported Thursday by WPXI-TV in Pittsburgh, and state lawmakers were briefed on the problem Thursday morning.
House Majority Leader Kerry Benninghoff, R-Centre, called it an “incredibly careless and damaging breach of trust.”
“This latest example of gross mismanagement by the Wolf administration speaks volumes to the dangers of unchecked, unilateral executive authority and why the people’s voice through their elected representatives and senators needs to be heard during challenging times,” Benninghoff said.
He said the state’s agreement with Insight Global was not competitively bid.
WPXI-TV said former employees of Insight Global told the station they alerted supervisors that information had been improperly secured but no action had been taken.
A message seeking comment was left for the company, which told WPXI that contract tracing information “may have been made accessible to persons beyond authorized employees and public health officials.”
The Department of Health’s emergency contract with Insight Global required the staffing agency to safeguard people’s data and, in the event of “any improper disclosure of information,” to provide credit monitoring and other remedies. It also required Insight Global to comply with federal health privacy law.
Insight Global “recognizes and accepts that the contact tracing workforce will have access to personal health information of contact tracing subjects and must ensure that and all other such information related to the services being provided must be kept confidential and secure,” according to a contract addendum.
Ciccocioppo said some of the records in question associated names with phone numbers, emails, genders, ages, sexual orientations and COVID-19 diagnoses and exposure status. They did not include financial account information, addresses or Social Security numbers, he said.
The state's health department won't renew the contract with Insight Global that expires in three months. The company will be notifying people affected by the data breach and will open a hotline on Friday for anyone concerned they might have been involved. That number is 855-535-1787.
Free credit monitoring and identity protection services will be offered.
Insight Global, which started a health care division during the pandemic and bills itself as a “leading talent solutions firm,” was under pressure to scale up quickly. The company had to hire 250 contact tracers within 35 days, then bring on additional workers every two weeks until the effort was fully staffed.